[libvirt] [PATCH] network: explicitly allow icmp/icmpv6 in libvirt zonefile

[Daniel P. Berrangé]

On Thu, Feb 14, 2019 at 02:46:22PM -0500, Laine Stump wrote:
> The libvirt zonefile for firewalld (added in commit 3b71f2e4) does the
> following:
> 
> 1) lists specific services it wants to allow, then
> 
> 2) uses a lower priority <reject/> rule to block all other services to
>    the host, and then finally,
> 
> 3) relies on the zone's default "accept" policy to, accept all
>    forwarded traffic (since forwarded traffic is ignored by the
>    slightly higher priority <reject/> rule in (2)).
> 
> I had assumed that icmp traffic was either being allowed at the top of
> the rules, or that it would be ignored by the <reject/> rule and
> passed by the default accept policy (similar to forwarded traffic),
> but this assumption was incorrect; the <reject/> rule does block icmp
> traffic. This became apparent when DHCPv6 which requires ICMPv6 in
> addition to udp/dhcpv6) failed to work.
> 
> This all means that in order to achieve our original goal of "similar
> behavior to a default reject policy, but also allowing forwarded
> traffic", we need to add rules to allow all icmp and icmpv6 traffic to
> the libvirt zone, and that's what this patch does.
> 
> This is a further refinement of the resolution to
> https://bugzilla.redhat.com/1650320
> 
> Signed-off-by: Laine Stump <laine at laine.org>
> ---
>  src/network/libvirt.zone | 2 ++
>  1 file changed, 2 insertions(+)

Reviewed-by: Daniel P. Berrangé <berrange at redhat.com>

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|